[rank_math_breadcrumb]

,

ISE BYOD: Dual vs. Single SSID Onboarding,

Posted by

In general it is recommended to minimize number of ‘ SSIDs. Also, if the guest access is using hotspot access then single-SSID BYOD is recommended as the open SSID using hotspot portal cannot be used for initial BYOD portal at the same time. With Single-SSID BYOD, the endpoint associates to a secure WLAN gets onboarded then after the endpoint automatically reconnects the endpoint is granted full network access via same WLAN.

single.png

If guest access is utilizing one of the named guest account, then same guest portal can be used for employee BYOD portal. This flow is called Dual-SSID BYOD, where the endpoint is associated to a provisioning WLAN which is typically shared with guest access. When the ISE confirms that the user is an employee user, then ISE will direct the user to the BYOD flow where the endpoint gets onboarded. Once provisioned with the WLAN settings and possibly CA signed certificate, then the endpoint is reconnected to the secured WLAN for full network access.

dual.png
 Single SSIDDual SSID
ProsUser experience is better for iDevice users as SSID switching from OPEN to SECURED does not require user interventionThis is a unique capability of ISE where competitor solution forces user to login twice while ISE can take user information from 802.1X session without asking for the user to login again to the web portalSome organizations prefer having a dedicated SSID for on-boarding devices.Can provide visible guidance to the user on the BYOD process before logging inBetter security: User can confirm that the BYOD server is legitimate as the user does not get prompted to manually trust the EAP certificateID Store is LDAP and cannot start with PEAP with MSCHAPv2 currently to LDAP storeWired deployment where cannot assume client already has 802.1X enabled on wired interfaceCan be configured to use secured SSID that is not broadcastingIn the case of dual-SSID flow, BYOD portal can be configured to allow guest access if employee does not want to go through the BYOD flow
ConsWhen end users connect to the SSID for the first time there is no easy way to validate whether server provided certificate is from the trusted sourceFast-SSID change setting needs to be enabled on the WLC to accommodate iOS devicesOthers see dual SSID as an extra management burden.A second SSID adds channel overhead and may degrade wireless performanceRequires iOS users to manually switch SSID

[the-post-grid id=”9538″ title=””]

Leave a Reply

Your email address will not be published. Required fields are marked *

Visit Our Store and Buy All document (F5, Zscaler, ASA, Paloalto, Checkpoint,Forescout, Cisco ISE etc) only in  1600RS, click here on store - Store

X
error: Content is protected !!